a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b

General

Target

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
Size

517KB
MD5

0d0d474a1e1a09a0d9d5e8f375438475
SHA1

6e7ddc644600681ea16847191d2fe2b16375f0a7
SHA256

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b
SHA512

3d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

bitsuser.exe~3553.tmpsrdeheme.exe

pid process

1768 bitsuser.exe
316 ~3553.tmp
1360 srdeheme.exe

Loads dropped DLL 3 IoCs

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exebitsuser.exe

pid	process
1096	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
1096	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
1768	bitsuser.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\compkmgr = "C:\\Users\\Admin\\AppData\\Roaming\\DpiSdVol\\bitsuser.exe"	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

Drops file in System32 directory 1 IoCs

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

description ioc process

File created C:\Windows\SysWOW64\srdeheme.exe a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\srdeheme.exe	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bitsuser.exeExplorer.EXEsrdeheme.exe

pid	process
1768	bitsuser.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE
1360	srdeheme.exe
1248	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exebitsuser.exe~3553.tmp

description	pid	process	target process
PID 1096 wrote to memory of 1768	1096	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	bitsuser.exe
PID 1096 wrote to memory of 1768	1096	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	bitsuser.exe
PID 1096 wrote to memory of 1768	1096	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	bitsuser.exe
PID 1096 wrote to memory of 1768	1096	a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe	bitsuser.exe
PID 1768 wrote to memory of 316	1768	bitsuser.exe	~3553.tmp
PID 1768 wrote to memory of 316	1768	bitsuser.exe	~3553.tmp
PID 1768 wrote to memory of 316	1768	bitsuser.exe	~3553.tmp
PID 1768 wrote to memory of 316	1768	bitsuser.exe	~3553.tmp
PID 316 wrote to memory of 1248	316	~3553.tmp	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248
- C:\Users\Admin\AppData\Local\Temp\a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
  "C:\Users\Admin\AppData\Local\Temp\a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe
    "C:\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\~3553.tmp
      "C:\Users\Admin\AppData\Local\Temp\~3553.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:316
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    3⤵
    PID:292

C:\Windows\SysWOW64\srdeheme.exe
C:\Windows\SysWOW64\srdeheme.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~3553.tmp

MD5
fd28ee7da4b9307e071efbd8b625795f

SHA1
a43bffa92ef4e0d4141327e5317d30bebfc123f7

SHA256
33c6ba5fff016036a33a0ce142bfccda861149341d5c3d5967bbfa883fa7c6fb

SHA512
9d1fb27d4b413b0bbadae8e6cb62bcaf9e71f17599c31e168a3e7b529e9e5d3c202fe26c4de2dbae40268ca448038b933e6195e0dbc240b7ddf0eb0b1aa4ea92

Download Submit
C:\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe

MD5
95e6b839210f262edcb1724c178105ff

SHA1
19579a71ea56c175a44f0b9e00d5c9a714f5ff44

SHA256
c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7

SHA512
16831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9

Download Submit
C:\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe

MD5
95e6b839210f262edcb1724c178105ff

SHA1
19579a71ea56c175a44f0b9e00d5c9a714f5ff44

SHA256
c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7

SHA512
16831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9

Download Submit
C:\Windows\SysWOW64\srdeheme.exe

MD5
0d0d474a1e1a09a0d9d5e8f375438475

SHA1
6e7ddc644600681ea16847191d2fe2b16375f0a7

SHA256
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b

SHA512
3d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a

Download Submit
C:\Windows\SysWOW64\srdeheme.exe

MD5
0d0d474a1e1a09a0d9d5e8f375438475

SHA1
6e7ddc644600681ea16847191d2fe2b16375f0a7

SHA256
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b

SHA512
3d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a

Download Submit
\Users\Admin\AppData\Local\Temp\~3553.tmp

MD5
fd28ee7da4b9307e071efbd8b625795f

SHA1
a43bffa92ef4e0d4141327e5317d30bebfc123f7

SHA256
33c6ba5fff016036a33a0ce142bfccda861149341d5c3d5967bbfa883fa7c6fb

SHA512
9d1fb27d4b413b0bbadae8e6cb62bcaf9e71f17599c31e168a3e7b529e9e5d3c202fe26c4de2dbae40268ca448038b933e6195e0dbc240b7ddf0eb0b1aa4ea92

Download Submit
\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe

MD5
95e6b839210f262edcb1724c178105ff

SHA1
19579a71ea56c175a44f0b9e00d5c9a714f5ff44

SHA256
c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7

SHA512
16831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9

Download Submit
\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe

MD5
95e6b839210f262edcb1724c178105ff

SHA1
19579a71ea56c175a44f0b9e00d5c9a714f5ff44

SHA256
c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7

SHA512
16831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9

Download Submit
memory/316-68-0x0000000000000000-mapping.dmp

Download
memory/1096-59-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1096-60-0x00000000002E0000-0x0000000000375000-memory.dmp

Filesize
596KB

Download
memory/1248-74-0x00000000024C0000-0x0000000002503000-memory.dmp

Filesize
268KB

Download
memory/1360-75-0x0000000000420000-0x00000000004B5000-memory.dmp

Filesize
596KB

Download
memory/1768-63-0x0000000000000000-mapping.dmp

Download
memory/1768-73-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads